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V. Reasoned st atement under Art. 35( 2) 

1 . Reference is made to the following documents; the numbering will be adhered to in 
the rest of the procedure: 

D1 : WO 96/42041 A (OPEN MARKET INC) 27 December 1 996 (1 996-1 2-27) 

2. The application does not meet the requirements of Article 6 PCT, because the 
independent claims 1 and 25 are not clear: 

2.1 In claim 1 it is not clear which entities perform the steps of "transmitting an 
authentication request" and "receiving a response to said authentication request: 
It is assumed that they are performed by the client (as in the figure 3). 

2.2 Similar objection is to be raised for claim 25 for the corresponding features. 

3. The present application does not meet the criteria of Article 33(1 ) PCT, because the 
subject-matter of independent claims 1 and 25 does not involve an inventive step ir 
the sense of Article 33(3) PCT. 



3.1 Referring to the wording of claim 1 document D1 discloses: 

a method for controlling access to a network (abstract); said method comprising: 

receiving, by an access point of said network, a request to access said network, 
said request transmitted by a client (Get CP: figure 3, step 3); 
re-directing, by said AP, said access request to a local server (this step can be 
omitted in the case that AP and local server are co-located - one of two 
straightforward possibilities); 

generating an URL by said AP/local server requesting that said client select an 
authentication server (AS) and forwarding said generated URL to said client 
(Redirect [AS]: figure 3, step 4; page 14, lines 6-8; it is to be noted that for the 
purpose of the authentication it is not relevant if such URL to the authentication 
server is sent directly to the user or if it is embedded in Web page and than sent 
to the user); 

transmitting an authentication request to said selected authentication server 
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([AS] Get CP: figure 3, step 5; page 14, lines 8-13); 
receiving a response to said authentication request from said selected 
authentication server (New URL w/SID: figure 3, step 8; page 14, line 34 - page 
15, line 1). 

storing a mapping of an association of unique data with an identifier of said 
client in said AP (page 15, lines 3-5); 

3.2 From the method disclosed in document D1 the subject matter of claim 1 differs in 
that AP/local server associates/generates the unique data with an identifier of said 
client. The problem to be solve is to generate a challenge which can be authenticated 
by other trusted party. 

This feature is merely one of the straightforward possibilities from which the skilled 
person would select in accordance with circumstances, without the exercise of 
inventive skill, in order to solve the problem posed. Applying of session ID and 
randomized number for the authentication is very well known in the art and used e.g. 
in the IEEE 802.1x systems (see description, page 14, lines 13-14). 

3.3 Furthermore it is to be noted that the problem to be solved by the present application 
is to authenticate a user without requiring an explicit separate communication 
session between the access point and the authentication server (see description 
page 3, lines 3-6 and 29-32). Document D1 provides exact the same solution. The 
mere fact that an access to the service instead of an access to the network is 
controlled it is regarded as irrelevant. 

Thus, the subject-matter of claim 1 does not involve an inventive step and does not 
satisfy the criterion set forth in Articles 33(1) and 33(3) PCT. 

3.4 The above-mentioned lack of clarity notwithstanding, referring to the wording of claim 
25, as far as it can be construed, document D1 discloses: 

a system for controlling access to a network comprising: 

i) a client (client 50, figure 3); 

ii) an access point AP co-located with a local server LS for relaying network 
communications to and from the client (content server 52, figure 3); and 

iii) an authentication server (54, figure 3) for performing an authentication process 
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in response to a request from the client; wherein 

the LS transmits the unique data to the client (Redirect [AS]: figure 3, step 
4; page 14, lines 6-8); 

the authentication server, upon authenticating the client using the unique 
data (page 14, lines 14-29), is operative to provide a re-direct header for 
access to the client (New URL w/SID: figure 3, step 8; page 14 line 34 - 
page 15, line 1) including a digitally signed authentication message and 
authentication parameters corresponding to the unique data (page 14, 
lines 30-33), 

the AP receiving the digitally signed retrieved re-directed URL and 
authentication parameters from the client (figure 3, step 9) and the AP 
further correlating the authentication parameters with the mapped 
association data for determining access to the network based on the 
results of the correlation (page 14, lines 3-8). 

From the method disclosed in document D1 the subject matter of claim 25 differs in 
that AP/local server associates/generates the unique data with an identifier of said 
client. This feature cannot be regarded as involving inventive step as already stated 
in points 3.2 and 3.3 

Thus, the subject-matter of claim 25 does not involve an inventive step and does not 
satisfy the criterion set forth in Articles 33(1 ) and 33(3) PCT. 

4. The dependent claims 2-13, 26-34, 36 and 41 do not appear to contain any 

additional features which, in combination with the features of any claim to which they 
refer, involve an inventive step (Articles 33(1) and 33(3) PCT) for the reason that the 
subject-matter of said claims is either in principle directly derivable from the 
disclosure of the document D1 or represents simple design details which are 
generally known to the person skilled in the field of access control. 

4.1 Claims 2 and 26: the additional feature of these claims (said network is a WLAN) 
cannot be regarded as involving inventive step as already stated in point 3.3. 
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CLAIMS: 

1 . A method for controlling access to a network, said method comprising: 

receiving, by an access point (AP) of said network, a request to access said 
network, said request transmitted by a client; 

re-directing, by said AP, said access request to a local server; 

associating unique data with an identifier of said client and storing a mapping 
of said association in said AP ; 

generating a Web page by said local server requesting that said client select an 
authentication server (AS) and including said unique data and forwarding said generated Web 
page to said client; 

transmitting an authentication request to said selected authentication server; 

and 

receiving a response to said authentication request from said selected 
authentication server. 



2. The method according to claim 1, wherein said network is a wireless Local Area 
network (WLAN), 

3. The method according to claim 1, further comprising: 

forwarding said identifier of said client from said local server; and 
generating said unique data for said client by said local server. 

4. The method according to claim 1, further comprising: 

retrieving, by said client, a re-directed URL having embedded data including a 
first digital signature, authentication parameters and said unique data and forwarding said re- 
directed URL to said AP; 

creating, by said AP, a second digital signature using said authentication 
parameters, said unique data and said identifier; 

comparing, by said AP, said first digital signature with said second digital 

signature; 

determining, by said AP, if there is a match between said first digital signature 
and said second digital signature; and 
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performing, by said AP, one of granting network access and denying network 
access based on said match determination. 

5. The method according to claim 1, wherein said unique data includes a session ID 
and a randomized number. 

6. The method according to claim 1, wherein said identifier is an address of said 

client. 

7. The method according to claim 1 , wherein the act of authenticating farther 
comprises: 

processing, by said AS, said authentication request, wherein said authentication 
request includes a session ID embedded in said authentication request; 

responding to said authentication request by forwarding to said client by said 
AS an authentication input page, said authentication input page including a request for 
authentication information; and 

receiving, by said AS, authentication credentials from said client, wherein said 
response to said authentication request forwarded to said client includes are-direct header and 
a success code and associated information relevant to access of said network by said client. 

8. The method according to claim 7, wherein the act of forwarding further comprises 
generating, by said AS, said success code and said associated information includes a first 
digital signature and authentication parameters. 

9. The method according to claim 5, wherein said randomized number is one of a 
random number and a pseudo-random number. 

10. The method according to claim 1, wherein said identifier is one of a physical 
(PHY) address of said client, a MAC address of said client and an IP address of said client 

1 1 . The method according to claim 1, wherein said AP and said local server are co- 
located. 

SUBSTITUTE SHEET 



AR/ICMHCn OLJtZCT 



?R 12 2005 15:01 KH THOMSON MM HCtSNS INSiUy Yj54 b«»» TU «, Ul 1 ^y^U^^U 1»4 K. <*U 

12-04-2005 609 734 6888 US0424559 

PU030028 



13 

12. The method according to claim 4, wherein said first and said second digital 
signatures are generated using one of a private key of said AS and a shared key between said 
AS and said local server. 

13. The method according to claim 4, wherein said second digital signature is locally 
generated at said AP. 



Claim 14. 



(CANCELLED) 



Claim 15. 



(CANCELLED) 



Claim 16. 



(CANCELLED) 



Claim 17. 



(CANCELLED) 



Claim 18. 



(CANCELLED) 



Claim 19. 
Claim 20. 
Claim 21. 
Claim 22. 
Claim 23. 



(CANCELLED) 
(CANCELLED) 
(CANCELLED) 
(CANCELLED) 
(CANCELLED) 



Claim 24. 



(CANCELLED) 



25. A system for controlling access to a network comprising: 
a client; 
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an access point (AP) coupled to a local server (LS) for relaying network 
communications to and from the client; and 

an authentication server for performing an authentication process in response to a 
request from the client; wherein 

the AP, in response to a re-directed request to access the network from the 
client, associates unique data with an identifier of the client and stores a mapping of 
the association; 

the LS transmits the unique data to the client; 

die authentication server, upon authenticating the client using the unique data, 
is operative to provide a re-direct header for access to the client including a digitally 
signed authentication message and authentication parameters corresponding to the 
unique data, the AP receiving the digitally signed retrieved re-directed URL and 
authentication parameters from the client and the AP further correlating the 
authentication parameters with the mapped association data for determining access to 
the network based on the results of the correlation. 

26. The system of claim 25, wherein the network is a wireless local area network 
(WLAN) comprising the access point and local server. 

27. The system of claim 25, wherein the local server generates a web page requesting 
that the client select an authentication server, and embeds the unique data in the web page for 
transmission to the client. 

28. The system of claim 25, wherein the identifier of the client is one of a physical 
address, MAC address and an IP address, and wherein the unique data comprises a session ID 
and a randomized number. 

29. The system of claim 28, wherein the session ID and randomized number are 
generated by the local server. 

30. The system of claim 28, wherein the authentication server receives user credential 
information from the client and provides a digitally signed authentication message including 
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an authentication parameters using said unique data through HTTPS to the client via said re* 
direct header to the client. 



3 1 . The system of claim 30, wherein the AP, in response to receiving the digitally 
signed authentication message re-directed from the client including the authentication 
parameters and at least a portion of the unique data from the client, generates a local digital 
signature using the received portion of the unique data and the stored mapping data together 
with the authentication parameters, and compares the local digital signature with the digitally 
signed authentication message to determine network access by the client 

32. The system of claim 25, wherein the re-direct header further comprises a means 
for re-directing a browser of the client to a URL on the network, and embedding in the URL 
said digitally signed authentication message, the authentication parameters and a portion of 
the unique data. 



33. The system of claim 26, wherein said AP and said LS are co-located. 



34. The method of Claim 1, further comprising: 

at the authentication server, authenticating the client using the unique data, and 
forwarding said response to the client using a re-direct header, and including a digitally signed 
authentication message and authentication parameters corresponding to the unique data; and 

the access point receiving from the client according to the re-direct header the digitally 
signed authentication message and authentication parameters and correlating the 
authentication parameters with the mapped association data for determining access to the 
network. 

Claim 35. (CANCELLED) 

36. The method of Claim I, wherein said unique data comprises a session ID and a 
randomized number and further comprising: receiving, by said AP, a re-directed request from 
the client and including a digitally signed authentication message, an authentication parameter 
list, and said session ID, the digitally signed authentication message being generated using the 
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randomized number, said session ID and said authentication parameter list, by said selected 
authentication server associated with the client; and 

correlating the received digitally signed authentication message with the re- 
directed request for access using the stored mapping data for controlling access by the client 
to the network. 

Claim 37. (CANCELLED) 

Claim 38. (CANCELLED) 

Claim 39. (CANCELLED) 

Claim 40. (CANCELLED) 

41 . The method according to claim 36, wherein said AP and said LS are co-located. 
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